To make informed decisions about how to fine-tune risk predictors and policies, you’ll have to accumulate a certain amount of data on authentication attempts and how the risk evaluation impacts them.
You should use the default risk policy for the initial period before you start customizing the policy or defining multiple risk policies.
Fine-tuning your policy is an iterative process and should follow this approach: